00:00:18 hrm, i think i figured it out, just had to :duck: it 02:03:29 guys, im trying to install freebsd on virt-manager kvm, the mouse dont work 03:01:59 hmm, well I was about an hour late on responding to that question LOL 03:06:33 SponiX: Erm? 03:28:57 I have always had the virt-manager defaults be okay. But if the mouse is not working then almost certainly it is missing a device. For KVM the best device is the tablet driver because it uses absolute X-Y coordinates instead of the mouse drivers relative motion coordinates. It works better through the layers that way. 05:56:04 it's not really designed for that is it 05:56:07 ? 13:49:08 is ntt in .jp engaged in freebsd much? 17:51:24 I'm getting confused by binat rules in pf. I'm getting this error: 'binat' source mask and redirect mask must be the same. I'm really not sure what this means, because that's not true in any of the examples in pf.conf(5). 17:52:55 Zerock, If you want a review you will need to pastebin your pf.conf file so that others can see it. 17:52:56 binat is mapping 192.168.3.0/24 to 100.50.3.0/24 17:53:38 one ip to one ip, so they'd need the same mask or it would no longer be 1:1 17:54:56 ohh, I think I see what you mean 17:55:27 how can i restart my laptop that has no power button.. i forgot to make install clean dwm and now its stuck with the curour in the to left corner 17:55:34 i can't ctrl +alt delete ntohing 17:55:53 ssh into it? 17:55:59 oo 17:56:11 ctrl-alt-f3 for a tty and log in there 17:56:11 dam don't know the ip 17:56:20 yea ttys aren't working either 17:56:22 nmap -p 22 17:56:23 its stuck 17:56:32 can i nmap the whole network for port 22 ? 17:56:44 okay then what's the best way to do what I'm trying to do? I want to use this machine as a gateway between a VPN and one particular other host inside my LAN. I have a rdr rule set up to accept a connection from the VPN and redirect it to the other machine on the LAN, but that other host doesn't have a route back to the client on the VPN. So I want to NAT the traffic from the VPN to the LAN address 17:56:47 of my gateway and vice versa so the return traffic is properly received. 17:56:51 yep. nmap -p 22 192.168.0.1/24 17:57:01 nice 17:57:06 oxbar: if your laptop has no power button, how do you even turn it on? 17:57:30 open the lid.. its a lenova it just turns on 17:57:33 its an old yoga 17:57:53 also there is a lenova button thing when its kinda charged you can press and it tries to go to the bios and stuff 17:58:13 what a strange design 17:59:18 yep.. sound dosen't work i've liltterally tried everyting and so have the people on the forums so i need to file a bug.. need to get info off the lpatop for logs 18:04:11 Zerock: you could binat the single /32 18:04:14 ? 18:06:23 oh maybe that would work 18:06:58 oh wait... no, because the source can be anything on a /24 VPN 18:07:21 well, I did just get it working by adding two regular NAT rules 18:07:43 annoying to have the extra step but it does seem to work 18:14:27 Doesn't the Lenovo Yoga have a power button on the side? Pretty sure it does. 18:22:52 rtprio: Thanks for the sshd recommendations.. rebooted :D 18:30:16 rwp: my son broke it like a year ago.. its all smashed in 18:30:41 waiting on authorization so i can file a bug for this sound issue 18:30:59 is there a script i need to fill out when i file the bug ? 18:37:00 If anyone is using TheLounge in a 14.x-RELEASE jail, can I please see your rc script? I previously could run this software via daemon(8) in 13.x-RELEASE, and now I can't figure out why I am having issues on 14.3-RELEASE. 19:10:08 im using thelounge but i don't have any rc script or jail 19:10:10 sorry 19:11:52 running it in tmux or something? that's what i'm resorting to for the moment 19:23:03 scoobybejesus_tl: how daemon works shouldn't have changed very much between 13 and 14 19:24:31 depends on the versions of 13 and 14 you're talking about 19:25:59 we did a lot of refactoring of daemon(8) after 14 branched that was backported to both 13 and 14 at varying stages of their life. it should've all been non-functional-change, but mistakes do happen (and we caught a few) 19:41:04 what is the command to properly shut down a freebsd system? `shutdown now` gets me to a rescue shell prompt 19:41:12 shutdown -p now 19:41:15 ^^ 19:41:22 or just poweroff which is alias of shutdown -p now 19:41:34 how about removing the 10 second wait from the boot menu? 19:41:41 but the reboot is not the same, it doesn't wait for services to stop 19:41:43 autoboot_delay 19:41:46 2 19:41:51 ^^ 19:42:03 (see loader.conf(5)) 19:42:13 in /boot/loader.conf - autoboot_delay="-1" 19:42:23 wavefunction, kevans: ty 19:42:50 is there something to do to boot into multi-user mode when no autoboot delay is set? like in grub, when shift is pressed. 19:43:00 not boot into multi& 19:43:12 i mean how to enter single-user mode when you have autoboot_delay-2 19:43:54 nope, not really an escape hatch there 19:44:01 i see, ty 19:44:21 you probably want =0 if you're worried there 19:44:38 so with 0, you've the chance to spam 2 key to load into single? 19:44:56 Yeah: `If set to “0”, no delay is inserted, but any keys pressed while the kernel and modules are loaded will enter interactive mode.` 19:45:11 allegedly, but now that I write this out I don't really remember implementing that in lualoader 19:45:41 I wonder if it's implemented in the C bits 19:45:57 ok ty, dunno bout 'c bits' and 'lualoader' 19:46:38 good night 20:46:11 Hi! Just a newbie question... I have a BIOS computer with GPT, with a freebsd-boot type partition and a freebsd-zfs type partition containing a zfs-native-encrypted root dataset. I bootstrap the system with "gpart bootcode -b /boot/pmbr -p /boot/gptzfsboot". Is it possible for freebsd with bectl to boot the zfs-native-encrypted root dataset? Do I need to create an unencrypted dataset and move the 20:46:12 files from /boot in the encrypted dataset to / in the unencrypted dataset? 20:48:04 i do not think /boot can be encrypted... furthermore i do not recall /boot even lives in the pool 20:50:44 andreas303: so far it's not possible to boot from zfs-native-encrypted 20:50:55 ...dataset 20:51:44 but you can have zfs-native-encrypted datasets within bootable zpool 20:53:18 mzar: I see. I've searched the internet for info about it, but it feels as if I've found contradictory information, so I felt a little confused. 20:54:16 mzar: A related question, is it possible for freebsd with bectl to boot a GELI-encrypted root dataset instead? 20:54:50 loader can do GELI, yes 20:55:02 andreas303: no worries, please feel free to do some experimentation, perhaps it's possible to boot from zfs-native-encrypted dataset using grub2 20:55:52 I am not using GELI-encrypted zpool, but yes, it should be doable 20:58:55 kevans: Ah, OK, I think I'll try the GELI approach then. A just wonder about /boot. After my recent install (for an unencrypted zfs dataset), /boot is just an ordinary directory in the root dataset, and it boots just fine. Should I move /boot to it's own dataset or its own partition anyway? 21:00:12 Or, in other words, should I move /boot/* to a partition outside of the GELI-encrypted one when I install the GELI-encrypted root dataset? 21:00:14 andreas303: i'd tend to recommend setups where you can both meet your security goals and still keep /boot within the domain of the boot environment 21:00:29 GELI allows it to work because all of our boot programs can speak GELI now 21:01:37 so even in the gptzfsboot -> /boot/loader case, it should be fine (but this is admittedly a relatively recent innovation, past ~8 years or so) 21:01:53 :D 21:02:27 we used to have to do a horrid bootpool setup (and still do in some cases) where you have your main pool and a separate bootpool, then the bootpool gets mounted and symlinked to /boot and it's... all kind of gross 21:02:42 for exactly the reasons you've hit, we couldn't always read /boot 21:03:35 nobody has taken the time to teach loader about zfs encryption, and there's a non-zero chance that the BIOS bootloader/programs still wouldn't support it due to space issues 21:05:32 ha... that would be a real bummer 21:05:51 kevans: Hmm, sorry for another newbie question (I come from the linux world where bootstuff are a bit different), but how do you mean with "within the domain of the boot environment"? Do you mean that I should keep /boot as an ordinary directory in the GELI-encrypted root dataset, or do you mean that I should create a separate dataset for the contents of /boot within the root pool, or do you mean 21:05:53 that I should create a separate GPT partition with an unencrypted zfs-dataset containing the contents of /boot? 21:06:30 andreas303: yeah, that first one 21:06:43 it's better to keep it all under GELI encryption 21:07:43 kevans & mzar: I see. Sounds reasonable. OK, I'll try it and get back to this channel if I mess up. :) Thx for the advice! 21:08:14 good luck, happy booting 21:12:59 +1 21:14:45 FWIW, grub2 probably still doesn't support booting native encrypted zfs dataset 21:46:14 andreas303, I recommend doing a test install using the ISO installer so that you can see how it sets up an encrypted system using GELI. That would be a painless way to give you a look at the default fully encrypted system. 21:46:21 Such as this install iso: https://download.freebsd.org/releases/amd64/amd64/ISO-IMAGES/14.3/FreeBSD-14.3-RELEASE-amd64-disc1.iso 21:46:38 That would set up rather of a base reference system of the current style. 21:47:56 However GELI pretty much requires you to be on the console which is fine if this is your laptop. No ability to do a remote boot. That's a problem on server systems. 21:48:28 In which case there is the freebsd-outerbase project. It boots a small system unencrypted and then uses that to bootstrap a second system that is fully encrypted. 21:48:36 https://forums.freebsd.org/threads/outerbase-install-script-for-remote-unlockable-geli-encrypted-root-on-zfs.80078/ 21:48:41 https://github.com/emtiu/freebsd-outerbase 21:59:34 rwp: Thanks for the suggestions! It's not necessary to have remote unlocking functionality, even though it would be nice to have. For me it's more important to be able to rollback to earlier snapshots or other boot environments if I mess up. I will checkout the freebsd-outerbase though. 22:07:19 rwp: Currently, I use https://github.com/Sec42/freebsd-remote-crypto/ to unlock a geli-encrypted root from the console or via dropbear (by means of rerooting), which works well. Unfortunately it doesn't support booting a zfs-native-encrypted root. I'm not sure if it supports snapshot rollback, so I want to try out other approaches to see which one is most suitable for me. 22:10:43 andreas303, Ah! That looks like yet another approach to solve the same problem of remote rebooting. I was unaware of that one and am adding it to my notes. 22:11:32 If you don't need remote rebooting then the standard installation using GELI is the best way to go. It's secure, robust, and well understood. Can't go wrong with it. 22:12:50 unless you forget your passphrase 22:53:39 Forgetting your passphrase does make it even more secure as even you won't be able to decrypt it. 22:55:40 Xe: Anubis is running flawlessly (freebsd+nginx+cgit+fcgiwrap) thanks to your instructions. 22:55:53 https://git.gluecode.net/ 23:34:21 wavefunction: yay, happy to hear! 23:35:08 i'm working on automated BSD testing soon enough, gonna use dch's podman magic